How to set up secure remote access to monitoring server using a NginX Reverse Proxy with SSL certificate
A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.
Reverse proxy includes a special network intermediary, which is located between the application user and the infrastructure where the protected applications are located. This allows you to eliminate many problems, such as the impact of DoS / DDoS attacks or application attacks. The advantage of this type of solution is also the fact that the configuration of the application behind the Reverse Proxy does not require any major changes.
Additionally, with the Reverse Proxy on NginX you can block bots (both malicious and those from search engines), and restrict access to applications based on username, IP, domain, or geographical location. So, for example, you can limit access only for admins who log in from the office and home IP, and for admins from an office located in a specific country.
Configuration of NginX and SSL
Preconditions
Before configuring NginX Reverse Proxy, you should do the following:
- Create name-to-number mapping (Host A) DNS entry, for example:
netcrunch.your_domain_name.com - Install and configure OS (preferably Linux)
- Create CSR - a certificate signing request
- Using CSR, get an SSL Certificate, at least * Wildcard
- Install NginX
Configuration of NginX Reverse Proxy
To configure NginX Reverse Proxy, use these following commands:
- make a copy of the original
nginx.conffile
mv /etc/nginx/nginx.conf nginx.conf.bac
- open
nginx.conffile in an editor
vi /etc/nginx/nginx.conf
Example configuration from nginx.conf file:
worker_processes auto; Error_log /var/log/nginx/error.log; Pid /run/nginx.pid;Events { worker_connections 1024; }
Http { include /etc/nginx/mime.types; default_type application/octet-stream;
Log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
Access_log /var/log/nginx/access.log main; Sendfile on; Keepalive_timeout 65; Include /etc/nginx/conf.d/*.conf; Index index.html index.htm; }
Configuration of SSL Wildcard certificate:
- Copy all the files in the package from the certificate Provider to your server along with the Private Key to the appropriate directories. Best practice recommends placing the certificate files in the directory
/etc/sslon your server. - Include SSL configuration to nginx.conf file, for example:
server { listen 443; ssl on; ssl_certificate /etc/ssl/your_domain_name.pem; #or bundle.crt ssl_certificate_key /etc/ssl/your_domain_name.key; server_name your.domain.com; access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; location / { root /home/www/public_html/your_domain_name.com/public/; index index.html; } }
Creating virtual host(s) configuration
We can do it using this command:
vi /etc/nginx/conf.d
Example configuration:
server { listen 80; server_name netcrunch.your_domain_name.com, 10.0.2.10; location / { proxy_pass http://10.0.11.12:8080; } }
Important notes
To complete the setup, remember to make sure that you
- set firewall rules:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
- enable NginX service:
sudo systemctl enable nginx
- check NginX configuration:
nginx -t
Configuration of NetCrunch to enable secure remote access to NetCrunch Server
As we mentioned at the beginning of the article, the configuration of the application itself does not require any major changes. All you have to do is to add a user in NetCrunch. To do it:
- Open Top Menu Tools User & Access Profiles...
- From the left pane select NetCrunch Users tab
- Click on the Add button on the bottom
- Provide Username, Access Profile, and Password
- Click OK button
From now, you will be able to open Web Console of your NetCrunch from anywhere in the world in a secure way.
Once you have created the appropriate user, enable your Web Browser, enter the appropriate address, and log in using the previously created user and password.
- [20.07.2020] Setting up secure access to the monitoring server via Windows IIS Reverse Proxy with SSL certificate
A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.
- [26.09.2019] Advanced SSL Certificate monitoring
Nowadays secure connections are common, sites/servers without certificates are flagged as 'unsafe' and people tend to avoid such places on the web. This article will demonstrate how you can easily monitor not only if certificates are about to expire or expired but several other properties included in it.
- [12.09.2018]Monitoring SSL Certificate expiration date with NetCrunch
Learn how easy you can monitor an SSL certificate with NetCrunch. Use it to be informed about SSL certificate expiration time and the properties of such certificate.
- [12.04.2018]Generate NetCrunch SSL certificate with Microsoft Certificate Authority server
Learn how to use certificates generated by Microsoft Certificate Authority to secure Web Access connection to the NetCrunch server.
- [15.09.2017] 7 proactive ways of monitoring your network in order to stay compliant with GDPR
The General Data Protection Regulation (GDPR) is about to come in-effect on May 25th, 2018 in the European Union. In a nutshell, it’s the first law of its kind which will define what is third-party personal data and how this data should be protected. Moreover, the law stipulates hefty fines on individuals and businesses alike, in case personal data is leaked into the wrong hands and the IT administrator (or business owner) does not handle the situation accordingly.
- [05.04.2017] Using NetCrunch to track Port Security status of Cisco switches.
Cisco port security is a great feature to make your network safer. Learn how to configure NetCrunch to display the status of Cisco Port Security on the switch interfaces.
